[5.2] SR-11354: Foundation.Process inherits file descriptors into the child process

Foundation/Process.swift

@@ -9,6 +9,10 @@
 
 import CoreFoundation
 
+#if canImport(Darwin)
+import Darwin
+#endif
+
 extension Process {
     public enum TerminationReason : Int {
         case exit
@@ -56,6 +60,43 @@ extension CFSocketError {
 }
 #endif
 
+#if !canImport(Darwin) && !os(Windows)
+private func findMaximumOpenFromProcSelfFD() -> CInt? {
+    guard let dirPtr = opendir("/proc/self/fd") else {
+        return nil
+    }
+    defer {
+        closedir(dirPtr)
+    }
+    var highestFDSoFar = CInt(0)
+
+    while let dirEntPtr = readdir(dirPtr) {
+        var entryName = dirEntPtr.pointee.d_name
+        let thisFD = withUnsafeBytes(of: &entryName) { entryNamePtr -> CInt? in
+            CInt(String(decoding: entryNamePtr.prefix(while: { $0 != 0 }), as: Unicode.UTF8.self))
+        }
+        highestFDSoFar = max(thisFD ?? -1, highestFDSoFar)
+    }
+
+    return highestFDSoFar
+}
+
+func findMaximumOpenFD() -> CInt {
+    if let maxFD = findMaximumOpenFromProcSelfFD() {
+        // the precise method worked, let's return this fd.
+        return maxFD
+    }
+
+    // We don't have /proc, let's go with the best estimate.
+#if os(Linux)
+    return getdtablesize()
+#else
+    return 4096
+#endif
+}
+#endif
+
+
 private func emptyRunLoopCallback(_ context : UnsafeMutableRawPointer?) -> Void {}
 
 
@@ -872,6 +913,21 @@ open class Process: NSObject {
             posix(_CFPosixSpawnFileActionsAddClose(fileActions, fd))
         }
 
+        #if canImport(Darwin)
+        var spawnAttrs: posix_spawnattr_t? = nil
+        posix_spawnattr_init(&spawnAttrs)
+        posix_spawnattr_setflags(&spawnAttrs, .init(POSIX_SPAWN_CLOEXEC_DEFAULT))
+        #else
+        for fd in 3 ... findMaximumOpenFD() {
+            guard adddup2[fd] == nil &&
+                  !addclose.contains(fd) &&
+                  fd != taskSocketPair[1] else {
+                    continue // Do not double-close descriptors, or close those pertaining to Pipes or FileHandles we want inherited.
+            }
+            posix(_CFPosixSpawnFileActionsAddClose(fileActions, fd))
+        }
+        #endif
+
         let fileManager = FileManager()
         let previousDirectoryPath = fileManager.currentDirectoryPath
         if let dir = currentDirectoryURL?.path, !fileManager.changeCurrentDirectoryPath(dir) {
@@ -885,9 +941,16 @@ open class Process: NSObject {
 
         // Launch
         var pid = pid_t()
+        #if os(macOS)
+        guard _CFPosixSpawn(&pid, launchPath, fileActions, &spawnAttrs, argv, envp) == 0 else {
+            throw _NSErrorWithErrno(errno, reading: true, path: launchPath)
+        }
+        #else
         guard _CFPosixSpawn(&pid, launchPath, fileActions, nil, argv, envp) == 0 else {
             throw _NSErrorWithErrno(errno, reading: true, path: launchPath)
         }
+        #endif
+
 
         // Close the write end of the input and output pipes.
         if let pipe = standardInput as? Pipe {

TestFoundation/TestProcess.swift

@@ -750,6 +750,45 @@ class TestProcess : XCTestCase {
         }
     }
 
+    #if !os(Windows)
+    func test_fileDescriptorsAreNotInherited() throws {
+        let task = Process()
+        let someExtraFDs = [dup(1), dup(1), dup(1), dup(1), dup(1), dup(1), dup(1)]
+        task.executableURL = xdgTestHelperURL()
+        task.arguments = ["--print-open-file-descriptors"]
+        task.standardInput = FileHandle.nullDevice
+        let stdoutPipe = Pipe()
+        task.standardOutput = stdoutPipe.fileHandleForWriting
+        task.standardError = FileHandle.nullDevice
+        XCTAssertNoThrow(try task.run())
+
+        try stdoutPipe.fileHandleForWriting.close()
+        let stdoutData = try stdoutPipe.fileHandleForReading.readToEnd()
+        task.waitUntilExit()
+        let stdoutString = String(decoding: stdoutData ?? Data(), as: Unicode.UTF8.self)
+        #if os(macOS)
+        XCTAssertEqual("0\n1\n2\n", stdoutString)
+        #else
+        // on Linux we may also have a /dev/urandom open as well as some socket that Process uses for something.
+
+        // we should definitely have stdin (0), stdout (1), and stderr (2) open
+        XCTAssert(stdoutString.utf8.starts(with: "0\n1\n2\n".utf8))
+
+        // in total we should have 6 or fewer lines:
+        // 1. stdin
+        // 2. stdout
+        // 3. stderr
+        // 4. /dev/urandom (optional)
+        // 5. communication socket (optional)
+        // 6. trailing new line
+        XCTAssertLessThanOrEqual(stdoutString.components(separatedBy: "\n").count, 6, "\(stdoutString)")
+        #endif
+        for fd in someExtraFDs {
+            close(fd)
+        }
+    }
+    #endif
+
     static var allTests: [(String, (TestProcess) -> () throws -> Void)] {
         var tests = [
             ("test_exit0" , test_exit0),
@@ -786,6 +825,7 @@ class TestProcess : XCTestCase {
         tests += [
             ("test_interrupt", test_interrupt),
             ("test_suspend_resume", test_suspend_resume),
+            ("test_fileDescriptorsAreNotInherited", test_fileDescriptorsAreNotInherited),
         ]
 #endif
         return tests

TestFoundation/xdgTestHelper/main.swift

@@ -196,6 +196,23 @@ func cat(_ args: ArraySlice<String>.Iterator) {
     exit(exitCode)
 }
 
+#if !os(Windows)
+func printOpenFileDescriptors() {
+    let reasonableMaxFD: CInt
+    #if os(Linux) || os(macOS)
+    reasonableMaxFD = getdtablesize()
+    #else
+    reasonableMaxFD = 4096
+    #endif
+    for fd in 0..<reasonableMaxFD {
+        if fcntl(fd, F_GETFD) != -1 {
+            print(fd)
+        }
+    }
+    exit(0)
+}
+#endif
+
 // -----
 
 var arguments = ProcessInfo.processInfo.arguments.dropFirst().makeIterator()
@@ -254,8 +271,11 @@ case "--nspathfor":
 #if !os(Windows)
 case "--signal-test":
     signalTest()
+
+case "--print-open-file-descriptors":
+    printOpenFileDescriptors()
 #endif
-    
+
 default:
     fatalError("These arguments are not recognized. Only run this from a unit test.")
 }